CN110457529B - Post data processing method and device, computer equipment and storage medium - Google Patents

Post data processing method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN110457529B
CN110457529B CN201910603609.0A CN201910603609A CN110457529B CN 110457529 B CN110457529 B CN 110457529B CN 201910603609 A CN201910603609 A CN 201910603609A CN 110457529 B CN110457529 B CN 110457529B
Authority
CN
China
Prior art keywords
post
node
facultative
target
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910603609.0A
Other languages
Chinese (zh)
Other versions
CN110457529A (en
Inventor
罗振珊
唐炳武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Property and Casualty Insurance Company of China Ltd
Original Assignee
Ping An Property and Casualty Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Property and Casualty Insurance Company of China Ltd filed Critical Ping An Property and Casualty Insurance Company of China Ltd
Priority to CN201910603609.0A priority Critical patent/CN110457529B/en
Publication of CN110457529A publication Critical patent/CN110457529A/en
Application granted granted Critical
Publication of CN110457529B publication Critical patent/CN110457529B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/9038Presentation of query results
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/105Human resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Human Resources & Organizations (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Strategic Management (AREA)
  • Quality & Reliability (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Economics (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Computational Linguistics (AREA)
  • Computer Hardware Design (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a post data processing method, a post data processing device, computer equipment and a storage medium, which are applied to the technical field of graphic databases and used for solving the problems of audit omission and low audit efficiency when risk audit is performed on facultative posts of employees. The method provided by the invention comprises the following steps: traversing a preset post decision diagram by taking an old post data label, a new post data label, each target authority and more than one target system of a target employee as input, and outputting nodes searched during traversal and node relations to obtain a facultative post diagram of the target employee; acquiring a compatible time length; calculating the time length of the target employee to be facultative according to the post-adjusting time and the current system time; judging whether the facultative duration of each facultative corresponding relation is less than the facultative duration or not to obtain a facultative judgment result; and outputting and displaying the facultative post bitmap of the target employee, and marking the facultative corresponding relation with the facultative judgment result of yes on the facultative post bitmap.

Description

Post data processing method and device, computer equipment and storage medium
Technical Field
The invention relates to the technical field of graphic databases, in particular to a post data processing method, a post data processing device, computer equipment and a storage medium.
Background
For many enterprises, post mobilization of employees is a common occurrence. Generally, after a shift of a position of an employee occurs, the system authority of the previous position of the employee needs to be recovered or cleaned, and the system authority of the next position needs to be granted to the employee. However, in some special cases, after the staff moves between the two posts, the staff needs to work in both the two posts to better complete the work handover, or the system authority of the previous post needs to be reserved so as to provide the system authority of the previous post for the new staff who has not obtained the system authorization but needs to immediately put into work to use. Therefore, currently, most enterprises will arrange for specialized auditors to analyze the risk of these facultative employees from the system oplogs. However, when the number of employees who have both posts is large, or the data volume of system operation logs and the like is large, the auditing work of the auditors is often greatly hindered, the auditing efficiency is low, the condition of auditing omission easily occurs, and hidden troubles are brought to the safety management of enterprises.
Therefore, finding an efficient post data processing method becomes an urgent problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the invention provides a post data processing method and device, computer equipment and a storage medium, which are used for solving the problems that audit omission easily occurs and audit efficiency is low when risk audit is performed on a employee facultative post.
A method for processing station data comprises the following steps:
acquiring an old post data label before post movement of a target employee, a new post data label after post movement, post movement time and each target authority, wherein the target employee refers to an employee who has more than two posts simultaneously, and each target authority belongs to more than one target system;
traversing a preset post decision diagram by taking the old post data label, the new post data label, each target permission and more than one target system of the target employee as input, and outputting nodes and node relations searched during traversal to obtain a facultative post bitmap of the target employee, wherein the post decision diagram is obtained by establishing all preset permissions, all systems to which all permissions belong and a post corresponding to each permission based on a graphic database, each permission is taken as a permission node, each system is taken as a system node, each post is taken as a post node on the post decision diagram, and facultative correspondence and facultative duration between all post nodes are recorded;
acquiring the compatible duration of each compatible corresponding relation on the compatible post bitmap;
calculating the dualized duration of the target employee according to the post-adjusting time and the current system time;
aiming at each facultative corresponding relation on the facultative sentry bitmap, judging whether the facultative duration of each facultative corresponding relation is less than the facultative duration or not, and obtaining the facultative judgment result of each facultative corresponding relation;
and outputting and displaying the facultative post diagram of the target employee, and marking the facultative corresponding relation with the facultative determination result of yes on the facultative post diagram.
A station data processing apparatus comprising:
the post authority acquiring module is used for acquiring an old post data label before post movement of a target employee, a new post data label after post movement, post movement time and each target authority, wherein the target employee refers to an employee who has more than two posts at the same time, and each target authority belongs to more than one target system;
a facultative post map output module, configured to traverse a preset post decision graph with the old post data tag, the new post data tag, the target permissions, and the more than one target system of the target employee as inputs, and output nodes and node relationships searched during traversal, to obtain a facultative post map of the target employee, where the post decision graph is created based on a graph database by all preset permissions, all systems to which all permissions belong, and a post corresponding to each permission, and each permission is used as a permission node, each system is used as a system node, each post is used as a post node, and a facultative correspondence relationship and a facultative duration between each post node are recorded;
a facultative duration obtaining module, configured to obtain a facultative duration of each facultative correspondence relationship on the facultative sentry bitmap;
the integrated duration calculation module is used for calculating the integrated duration of the target employee according to the post-adjusting time and the current system time;
a facultative duration determining module, configured to determine, for each facultative correspondence on the facultative sentry bitmap, whether the facultative duration of each facultative correspondence is less than the facultative duration, and obtain a facultative determination result of each facultative correspondence;
and the facultative corresponding relation marking module is used for outputting and displaying the facultative post bitmap of the target employee, and marking the facultative corresponding relation with the facultative determination result of yes on the facultative post bitmap.
A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the station data processing method when executing the computer program.
A computer-readable storage medium, which stores a computer program that, when executed by a processor, implements the steps of the station data processing method described above.
Firstly, obtaining an old post data label before post movement of a target employee, a new post data label after post movement, post movement time and each target authority, wherein the target employee refers to an employee who has two or more posts simultaneously, and each target authority belongs to more than one target system; then, the old post data label, the new post data label, each target authority and more than one target system of the target employee are taken as input, a preset post decision graph is traversed, nodes and node relations searched during traversal are output, a facultative post bitmap of the target employee is obtained, the post decision graph is established on the basis of a graph database by all preset authorities, all systems to which all authorities belong and the post corresponding to each authority, each authority is taken as an authority node, each system is taken as a system node, each post is taken as a post node on the post decision graph, and facultative correspondence relations and facultative durations among the post nodes are recorded; then, obtaining the facultative duration of each facultative corresponding relation on the facultative sentry bitmap; then, calculating the facultative duration of the target employee according to the post-adjusting time and the current system time; aiming at each facultative corresponding relation on the facultative sentry bitmap, judging whether the facultative duration of each facultative corresponding relation is less than the facultative duration or not, and obtaining a judgment result of each facultative corresponding relation; and finally, outputting and displaying the facultative post map of the target employee, and marking the facultative corresponding relation with the judgment result of yes on the facultative post map. It can be seen that the invention presets the post decision diagram based on the graphic database, when auditing the target, the old post data label, the new post data label, each target authority and the affiliated target system can be used as input, the post decision diagram is traversed to obtain the facultative post diagram of the target employee, the facultative corresponding relation with abnormal facultative duration on the diagram is identified by judging the facultative duration of the facultative corresponding relation on the diagram, the rapid auditing of the facultative post of the employee is realized, the facultative corresponding relations are displayed, the further auditing processing of the auditor is convenient, and the possibility of auditing omission is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.
FIG. 1 is a diagram of an application environment of a post data processing method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for processing position data according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a position decision diagram according to an embodiment of the present invention;
FIG. 4 is a diagram of a facultative sentry map in accordance with one embodiment of the present invention;
FIG. 5 is a diagram illustrating a position decision graph labeled with node relationships according to an embodiment of the present invention;
FIG. 6 is a schematic flow chart of a post decision chart pre-established in an application scenario by the post data processing method according to an embodiment of the present invention;
FIG. 7 is a flow chart of the step 102 of the position data processing method in an application scenario according to an embodiment of the present invention;
FIG. 8 is a flowchart illustrating a combined time timeout determination of the post data processing method in an application scenario according to an embodiment of the present invention;
FIG. 9 is a flowchart illustrating the process of determining the idle status of the authority of the post data processing method in an application scenario according to an embodiment of the present invention;
FIG. 10 is a schematic structural diagram of a post data processing apparatus in an application scenario according to an embodiment of the present invention;
FIG. 11 is a schematic structural diagram of a post data processing apparatus in another application scenario according to an embodiment of the present invention;
FIG. 12 is a block diagram illustrating an exemplary facultative sentry output module;
FIG. 13 is a diagram of a computing device in accordance with an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The post data processing method provided by the application can be applied to an application environment as shown in fig. 1, wherein a client communicates with a server through a network. Wherein the client may be, but is not limited to, various personal computers, laptops, smartphones, tablets, and portable wearable devices. The server may be implemented as a stand-alone server or as a server cluster consisting of a plurality of servers.
In an embodiment, as shown in fig. 2, a method for processing station data is provided, which is described by taking the server in fig. 1 as an example, and includes the following steps:
101. acquiring an old post data label before post movement of a target employee, a new post data label after post movement, post movement time and each target authority, wherein the target employee refers to an employee who has more than two posts simultaneously, and each target authority belongs to more than one target system;
in this embodiment, the server may obtain the post information of each employee through the human resource management system, where the post information includes an old post data tag before and after the employee mobilizes, a new post data tag, post-adjusting time, and each authority (i.e., target authority) owned by each post.
The human resource management system, such as the peoplesoft, refers to a system for an enterprise to specially manage human resources such as employee attendance, post, movement, leaving, superior and subordinate relationships and the like.
It should be noted that the target employee in this embodiment refers to an employee who has two or more posts at the same time, and in addition, each target authority is generally affiliated to one or more target systems, for example, employee a has authority 1 and authority 2, where authority 1 is affiliated to system a and authority 2 is affiliated to system B.
102. Traversing a preset post decision diagram by taking the old post data label, the new post data label, each target permission and more than one target system of the target employee as input, and outputting nodes and node relations searched during traversal to obtain a facultative post bitmap of the target employee, wherein the post decision diagram is obtained by establishing all preset permissions, all systems to which all permissions belong and a post corresponding to each permission based on a graphic database, each permission is taken as a permission node, each system is taken as a system node, each post is taken as a post node on the post decision diagram, and facultative correspondence and facultative duration between all post nodes are recorded;
in this embodiment, after obtaining the old post data tag, the new post data tag, each target authority, and the one or more target systems of the target employee, the server may traverse a preset post decision diagram by using the old post data tag, the new post data tag, each target authority, and the one or more target systems of the target employee as inputs, and output nodes and node relationships searched during traversal to obtain a facultative post diagram of the target employee. The post decision graph is established based on a graph database, and records the facultative correspondence between the post nodes and the preset facultative duration of each facultative correspondence. The facultative duration referred to herein is the maximum facultative duration of two posts corresponding to the facultative correspondence when being facultative by the same employee, for example, a certain employee B has facultative correspondence between post C and post D, and the facultative correspondence is set between post C and post D, and the facultative duration is 7 days, which means that the employee B can adjust post from post C to post D, or can simultaneously facultative post C and D after adjusting post from post D to post C for 7 days at most.
It should be noted that, for each authority, which of the positions can use the authority is preset, and the other positions that are not set cannot use the authority. Therefore, the positions capable of using the authority are the positions corresponding to the authority. When the positions of the employees are arranged and mobilized, the authority corresponding to one position is the authorized authority of the position, which means that the employees arranged on the position can be authorized to use the authorized authorities.
For ease of understanding, the pre-establishment process of the position decision diagram will be described in detail below. As shown in fig. 6, further, the position decision diagram is pre-established by the following steps:
201. respectively creating a system node for each system;
202. respectively creating each authority node according to each authority under each system aiming at each system, wherein one authority corresponds to one authority node;
203. respectively creating each position node by each authorized position aiming at each authority node, wherein one authorized position corresponds to one position node, and each authorized position refers to each position which can be authorized to use each authority node;
204. aiming at each system node, establishing a node relation between each system node and each corresponding authority node under each system node to obtain an initial decision graph;
205. on the initial decision diagram, aiming at each authority node, establishing a node relationship between each authority node and each post node corresponding to each authority node to obtain an initial post diagram;
206. acquiring a preset facultative corresponding relationship between every two posts and the facultative duration of each facultative corresponding relationship;
207. and traversing each system node on the initial post diagram, deeply traversing each permission node and each post node under each system node, and establishing a post node relationship between the post nodes according to the facultative corresponding relationship during traversal to obtain the post decision diagram, wherein the attribute value of the post node relationship is the facultative duration of the facultative corresponding relationship corresponding to the post node relationship.
With respect to the step 201, it can be understood that the station decision diagram should ideally include all preset permissions, that is, all permissions that may be used by the employee to use each system. Thus, all rights referred to herein may be considered all rights that an employee may use in work. And each authority can be respectively subordinate to different systems, and the system to which all the authorities belong obviously also covers all the systems of the enterprise where the staff are located. Therefore, in step 201, each system node is created by using all systems, and one system node is created by using one system. The system node "SYS-A" and the system node "SYS-B" shown in fig. 3. It is noted that "SYS-A" and "SYS-B" are attribute values of system nodes, and may be name codes preset by A certain system, such as A user management system.
As to the step 202, it can be known that, because there is a membership relationship between the systems and the authorities, the server may create each authority node for each system according to each authority under the system, and the created authority nodes are hung under the system nodes corresponding to the system. Wherein one authority corresponds to one authority node. As shown in fig. 3, two rights nodes "role 1" and "role 2" are created under the system node "SYS-A", and two rights nodes "role 1" and "role 2" are created under the system node "SYS-B". Here "role 1" and "role 2" are attribute values of the rights nodes, which may be from the names of the rights corresponding to these rights nodes, such as policy entry, policy approval, and so on.
For step 203, similarly, there is an authorized relationship between the authority and the positions, so that the server may create each position node for each authority node according to each authorized position, that is, one authorized position corresponds to one position node, and each authorized position refers to each position that can be authorized to use each authority node. As shown in fig. 3, 3 post nodes "post 1", "post 2" and "post 3" are created under the authority node "SYS-A" - "role 1", and the post nodes under other authority nodes are created in the same manner, see fig. 3, and are not described herein again. Here, "post 1", "post 2" and "post 3" may specifically be attribute values of position nodes, which may be from names of positions corresponding to these position nodes, such as record list, record keeper, and so on.
For step 204, in this embodiment, for each system node, a unidirectional node relationship, such as the relationship of SYS-role shown in fig. 3, may be established for each system node and each corresponding authority node below the system node, so as to obtain an initial decision graph. Specifically, in the graph database, the relationship of the SYS-role may specifically be a unidirectional bolean relationship, which represents an authority node role owned by each SYS system node.
For the step 205, similarly to the step 204, after obtaining the initial decision diagram, the server may establish, for each authority node on the initial decision diagram, a node relationship between each authority node and each post node corresponding to each authority node, where the node relationship is set according to an authorizeable relationship between the authority corresponding to the authority node and the post corresponding to the post node, for example, a role-post relationship shown in fig. 3. Specifically, in the graph database, the role-post relationship may be a unidirectional boolean relationship, which represents each post node post corresponding to each role authority node.
With respect to step 206 above, it will be appreciated that whether both stations can be compatible is determined by business process or enterprise management rules. For example, in terms of management, an enterprise considers that two posts, namely a policy applying post and a policy examining and approving post, have risks, but can be compatible, the two posts can be compatible, a compatible corresponding relationship exists between the two posts, and a compatible duration is set for the relationship, that is, the same employee is considered to be compatible with the two posts within a certain period of time without risks. Therefore, the facultative corresponding relations between every two posts and the facultative duration of the facultative corresponding relations are preset, and the server can acquire the facultative corresponding relations and the facultative duration of the facultative corresponding relations when needed. As shown in the table i below, the concurrent correspondence and the concurrent duration may be recorded in the form of a table, and the server reads the data in the table to obtain the concurrent correspondence and the concurrent duration as required.
Watch 1
System for controlling a power supply Can be used as both right and left Can be used as a post Duration of facultative
SYS-A、SYS-B A-role1VS B-role2 A-Post1、B-post2 7 days
SYS-A、SYS-B A-role2VS B-role4 A-Post2、B-post5 7 days
For the above step 207, after obtaining the initial position map and the facultative correspondence and facultative duration between the positions, the server needs to record the facultative correspondence and the facultative duration on the initial position map to the map, so as to obtain the position decision map. Referring to fig. 3 and table one, after the server can read the facultative correspondence of the table above, it searches for a pair of post nodes corresponding to the facultative posts of the facultative correspondence by traversing each system node, each authority node and each post node therebelow on the initial post map, then establishes a post node relationship for the pair of found post nodes, and assigns the attribute value of the post node relationship to the facultative duration of the facultative correspondence corresponding thereto. As for the position node relationship between "post 1" under "role 1" under "SYS-A" and "post 2" under "role 2" under "SYS-B" in fig. 3, the attribute value thereof is "pdatA ═ 7", indicating that the facultative duration between these two positions "post 1" and "post 2" is 7 days. Therefore, after traversing all the post nodes on the initial post map is completed and the relationship of each post node is established, the post decision map can be obtained.
For ease of understanding, the following describes in detail how the goal employee's information is used to traverse the station decision graph to obtain the facultative station bitmap. As shown in fig. 7, further, step 102 may include:
301. traversing each system node in a wide range on the post decision diagram, and searching the system nodes which are the same as the more than one target system as target system nodes;
302. for each target system node, traversing each authority node under each target system node, and searching the authority nodes which are the same as each first authority as target authority nodes, wherein each first authority refers to each target authority under the target system corresponding to each target system node;
303. for each target authority node, traversing each post node under each target authority node, and searching a post node which is the same as the old post data label or the new post data label as a target post node;
304. and extracting and outputting the target system node, the target permission node, the target post node and the extracted node relation on the post decision graph to obtain the facultative post bitmap of the target employee.
For step 301, firstly, the server traverses each system node extensively on the post decision graph, and searches for a system node that is the same as a target system used by the target employee, as a target system node. For example, referring to Table 2 below, the user accounts (UM accounts) of target employee A and target employee B are UM-AAAA and UM-BBBB, respectively, where the old position data label of target employee A is post1 and the new position data label is post 2; the old post data tag of target employee B is post2, and the new post data tag is post 5; their setbacks were all 20180701. Wherein the post1 post use permission role1 of the target employee A is subordinate to the system SYS-A, and the post2 post use permission role2 of the target employee A is subordinate to the system SYS-B; post2 post use permission role1 of target employee B belongs to system SYS-A, and post5 post use permission role2 of target employee B belongs to system SYS-B.
Watch two
UM Account Post Time to post Post adjusting time System for controlling a power supply Authority Time of authorization
UM-AAAA Post1 20160401 20180701 SYS-A role1 20180701
UM-AAAA Post2 20180701 SYS-B role2 20180701
UM-BBBB Post2 20150301 20180701 SYS-A role1 20180701
UM-BBBB Post5 20180701 SYS-B role2 20180701
When step 301 is executed, the server firstly finds out an "SYS-A" system node and an "SYS-B" system node as target system nodes for A target employee A; similarly, for the target employee B, the "SYS-A" system node and the "SYS-B" system node are first found out and used as target system nodes.
For step 302, after finding out each target system node, the server traverses each authority node under the target system node, so as to find out the authority node that is the same as each first authority as the target authority node, where each first authority is each target authority under the target system corresponding to each target system node.
With reference to fig. 3, taking the above example, for the target employee A, the server traverses the authority nodes role1 and role2 below the target system node "SYS-A" for the target employee A, finds that the authority corresponding to the authority node role1 is the same as the target authority role1 of the target employee A under "SYS-A", and thus determines that the role1 is the target authority node, and further traverses the authority nodes role1 and role2 below the target system node "SYS-B", finds that the authority corresponding to the authority node role2 is the same as the target authority role2 of the target employee A under "SYS-B", and thus determines that the role2 is the target authority node.
Similarly, for the target employee B, the server traverses the authority nodes role1 and role2 below the target system node "SYS-A" for the right node role1 to find that the authority corresponding to the authority node role1 is the same as the target authority role1 of the target employee B under the "SYS-A", so that the role1 is determined to be the target authority node, and further traverses the authority nodes role1 and role2 below the target system node "SYS-B" for the right node role2 to find that the authority corresponding to the authority node role is the same as the target authority role2 of the target employee B under the "SYS-B", so that the role2 is determined to be the target authority node.
For step 303, after finding out each target permission node, the server may traverse each post node under each target permission node for each target permission node, and find a post node that is the same as the old post data label or the new post data label as a target post node. The following proceeds with the example of target employee a and target employee B, respectively.
For example, for target employee a, the server, for target authority node role1, traverses a plurality of post nodes under role1, finds that post1 post node is the same as the old post data label of target employee a, and thus determines post1 post node as the target post node; for the target authority node role2, after traversing a plurality of post nodes under role2, the post2 post node is found to have the same label as the new post data of the target employee a, so that the post2 post node is determined to be the target post node.
For target employee B, the server, aiming at target authority node role1, searches through a plurality of post nodes under role1 and finds that post2 post node has the same label as the old post data of target employee B, thus determining post2 post node as target post node; for the target authority node role2, after traversing a plurality of post nodes under role2, the post5 post node is found to have the same label as the new post data of the target employee B, so that the post5 post node is determined to be the target post node.
For the step 304, after the server extracts the target system node, the target permission node, and the target post node on the post decision graph, the server may also extract the node relationship among these nodes, so that the target system node, the target permission node, the target post node, and the node relationship constitute a facultative post graph of the target employee.
Taking the above example, the server extracts and outputs the facultative post bitmap of target employee a and target employee B at the same time as shown in fig. 4 below.
Of course, it should be understood that the server may extract and output one facultative sentry bitmap separately for target employee a, extract and output another facultative sentry bitmap separately for target employee B, or extract and output two target employees a and B onto the same facultative sentry bitmap, which is not specifically limited in this embodiment.
103. Acquiring the compatible duration of each compatible corresponding relation on the compatible post bitmap;
it can be understood that, since the facultative sentry map is extracted from the position decision map by the server based on the information of the target employee, the information and the content described in the facultative sentry map are both the information and the content of the target employee. Therefore, the server can obtain the facultative duration of each facultative corresponding relation on the facultative post diagram, and it can be known that any facultative corresponding relation on the facultative post diagram is the corresponding relation between the facultative posts of the target employee, and therefore, the facultative duration is the maximum duration of the current facultative posts of the target employee. As shown in fig. 4, taking advantage of the above example, the facultative duration for which the server can acquire the facultative correspondence between "SYS-A-role 1-post 1" and "SYS-B-role 2-post 2" is pdatA (7 days), so the facultative duration for the target employee A is 7 days. Similarly, the compatible duration that the server can obtain the compatible correspondence between "SYS-A-role 1-post 2" and "SYS-B-role 2-post 5" is pdatA (7 days), so the compatible duration of the target employee B is also 7 days.
104. Calculating the dualized duration of the target employee according to the post-adjusting time and the current system time;
in connection with the above example, for target employee a, the post-tuning time is 20180701, and the current system time is 20180710, then the dualized time duration of target employee B is 10 days. Similarly, the allowed time duration of the available target employee B is also 10 days.
It will be readily understood that the doubled duration as referred to herein refers to the time that the target employee has doubled more than two positions.
105. Aiming at each facultative corresponding relation on the facultative sentry bitmap, judging whether the facultative duration of each facultative corresponding relation is less than the facultative duration or not, and obtaining the facultative judgment result of each facultative corresponding relation;
as can be seen from the above, in this embodiment, the facultative duration of a facultative correspondence is the duration of two posts corresponding to the facultative correspondence, within which the facultative posts of the employee can be considered as no risk or low risk and can be tolerated by the enterprise; the facultative duration is the time length of the employee in the facultative position, so if the facultative duration of the two facultative positions of the target employee is longer than the facultative duration, the facultative behavior of the target employee has generated higher risk; on the contrary, if the combined time length of the target employee for the two combined positions is less than or equal to the compatible time length, the combined action of the target employee is considered to generate no risk or generate a risk within an acceptable range. Therefore, in order to realize the auditing and management of the facultative post behaviors of the employees, the server can judge whether the facultative duration of each facultative corresponding relationship is less than the facultative duration, and obtain the facultative judgment result of each facultative corresponding relationship, so that the facultative behaviors with high risk can be prompted in time when the facultative post bitmap of the target employees is output, and convenience is provided for the work of auditors.
106. And outputting and displaying the facultative post bitmap of the target employee, and marking the facultative corresponding relation with the facultative judgment result of yes on the facultative post bitmap.
It can be understood that, after obtaining the facultative sentry bitmap of the target employee and the facultative judgment result, the server may output and display the facultative sentry bitmap of the target employee, and mark the facultative corresponding relationship on the facultative sentry bitmap that the facultative judgment result is yes. Specifically, when the facultative corresponding relationship that the facultative judgment result is yes is indicated, the facultative corresponding relationship may be rendered with a highlighted effect, for example, when the facultative post bitmap is displayed, for the facultative corresponding relationship that the facultative judgment result is no, the connecting lines on the graph use black, for the facultative corresponding relationship that the facultative judgment result is yes, the connecting lines on the graph use red, and the abnormal and normal facultative corresponding relationship is distinguished by different colors, so that the reading and viewing of an auditor are facilitated.
Preferably, the facultative sentry bitmap for the target employee may be output and presented through the neo4j engine.
In practical application scenarios, the facultative duration of the target employee exceeds the facultative duration, and there is naturally a higher risk, but in this risk type, there is also a higher risk of facultative behavior. For example, not only does the facultative duration exceed the facultative duration, but also the employee still operates the authority of the old post data tag in the period exceeding the facultative duration, and the unauthorized operation under the facultative behavior with high risk obviously brings higher risk to the security management of the enterprise. Therefore, for such an application scenario, the present embodiment analyzes the operation of the target employee on each target authority through the system operation log, analyzes whether the target employee has the above-mentioned unauthorized high-risk behavior, and performs processing in time. As shown in fig. 8, further, the method may further include:
401. extracting the time of the target employee for using each target authority recently from a system operation log to obtain each recent use time;
402. aiming at each facultative corresponding relation on the facultative sentry bitmap, calculating and obtaining the latest use time of each facultative corresponding relation according to the post adjusting time and the facultative duration of each facultative corresponding relation;
403. aiming at each facultative corresponding relation on the facultative sentry graph, judging whether the latest use time of the target permission corresponding to the old sentry data label on each facultative corresponding relation is greater than the latest use time or not, and obtaining the overtime judgment result of each facultative corresponding relation;
404. and if the overtime judgment result of any facultative corresponding relation on the facultative sentry bitmap is yes, sending alarm information to the appointed personnel.
For step 401, the server may extract an operation record of any employee from the system operation log through log analysis, that is, may extract the time when the target employee used each target authority recently, and may obtain each recent use time corresponding to each target authority by comparing the same target authority in terms of time.
For example, taking the above example, the server can easily extract the contents shown in the following table three from the system operation log:
watch III
System sys Permission role Accessing a resource C _ url UM Account Time of most recent use
SYS-A role1 /SysA.paic.com.cn/url1,url3 UM-AAAA 20180709
SYS-B role2 /SysA.paic.com.cn/url2,url4,url5 UM-AAAA 20180709
SYS-B role2 /SysB.paic.com.cn/url3,url3 UM-BBBB 20180709
SYS-B role5 /SysB.paic.com.cn/url4,url5 UM-BBBB 20180709
As can be seen from the contents of Table three, the time that the target employee A recently uses the target permission "SYS-A-role 1" is 20180708, and the time that the target employee A recently uses the target permission "SYS-B-role 2" is 20180709; target employee B recently used target privilege "SYS-B-role 5" at time 20180709, and did not use target privilege "SYS-A-role 2".
For the foregoing step 402, in this embodiment, for each combinable correspondence relationship on the combinable sentry map, the server may calculate the latest usage time of each combinable correspondence relationship according to the post-adjusting time and the combinable duration of each combinable correspondence relationship. For example, in connection with the above example, when the tuning time of target employee A is 20180701, and the facultative duration is 7 days, the latest time of use of target employee A may be calculated to be 20180708, which indicates that the facultative position of target employee A is as long as 7 months and 8 days of 2018, and after that, the authority of using the old position datA label is no longer needed, i.e., target authority "SYS-A-roll 1". Similarly, for target employee B, when the post-adjusting time is 20180701, and the facultative duration is 7 days, the latest use time of target employee B can be calculated to be 20180708, which indicates that the facultative position of target employee B is up to 2018, 7, 8 and month, and then the authority of old post datA label, that is, the target authority "SYS-A-role 2", cannot be used.
With respect to the above step 403 and step 404, as mentioned above, the server may know whether the target employee has serious unauthorized behavior by determining whether the latest usage time of the target authority corresponding to each of the concurrently-used old position data tags is greater than the latest usage time. If the overtime judgment result of any facultative corresponding relation on the facultative sentry bitmap is yes, the target staff uses the authority overtime in the facultative sentry of the facultative corresponding relation, and the overtime behavior brings great risk, so that the server can send alarm information to appointed staff, for example, send alarm information to auditors and superior leaders of the target staff, so that the appointed staff can make countermeasures in time, and serious management consequences are avoided. On the contrary, if the overtime judgment results of all the facultative correspondences on the facultative sentry bitmap are negative, it is indicated that the target employee does not have the behavior of overtime use permission and does not have high-risk operation, and therefore, the server does not need to send alarm information and only needs to process according to a normal flow, for example, waiting for the auditor to cancel the authorization of the permission on the old post data label for the target employee.
Preferably, the server may further automatically delete the authority of the target employee on the facultative corresponding relationship for the facultative corresponding relationship of which the overtime determination result is no and the facultative determination result is yes, so as to automatically clear the authority of the old post data tag. This is because, in this kind of concurrent correspondence, the target staff has been concurrently in use for a long enough time with the old post data label, but there is no high risk of unauthorized behavior, further audit is not needed, and it is efficient and reasonable to adopt automatic cleaning operation in order to improve efficiency.
Preferably, the server may further record the actual operation duration corresponding to each of the concurrent correspondences to an attribute of the concurrent correspondences when the concurrent post bitmap is displayed, and use the actual operation duration as a second attribute value of the concurrent correspondences. For example, for target employee A, the latest usage time of old post datA tag post1 is 20180709, and the post adjustment time is 20180701, the difference between the latest usage time and the post adjustment time is 8 days, that is, the actual operation time of the target employee A facultative post is 8 days, and the 8 days are recorded as the second attribute value of the facultative correspondence between "SYS-A-roll 1-post 1" and "SYS-B-roll 2-post 2". Therefore, when auditing the facultative corresponding relation, an auditor can directly obtain the actual operation duration of the facultative post of the target employee and visually judge the unauthorized risk of the target employee.
Furthermore, the post decision graph is also provided with a node relation of the maximum idle time length, and the node relation is used for judging the idle of the authority and can freeze the authority or remind a superior leader of paying attention.
In the practical application scenario of user management, whether the target employee uses the target authority can be known through the system operation log, and whether the target employee has abnormal behaviors, such as negative idling, business operation not on demand, and the like, can be determined accordingly. Therefore, as shown in fig. 9, further, the attribute value of the node relationship between the authority node and the post node on the post decision diagram is the permission free time, and the method may further include:
501. extracting the time of the target employee for using each target authority recently from a system operation log to obtain each recent use time;
502. aiming at each target authority, calculating the idle time of each target authority according to the latest use time and the current system time of each target authority;
503. for each target authority, judging whether the idle time of each target authority is less than or equal to the authority idleable time corresponding to each target authority to obtain an idle judgment result of each target authority;
504. and marking the node relation with the idle judgment result of yes on the facultative post graph.
First, the node relationship between the authority node and the post node on the post decision diagram can be as shown in fig. 5:
as shown in fig. 5, in the graph database, the attribute value of the node relationship between the authority node and the post node may specifically adopt an int-type relationship to record the value of LdatA, for example, the value of LdatA between the authority node "role 1" and the post node "post 1" under the system node "SYS-A" is 30, that is, it represents that the employee is idle for at most 30 days at post1 for the authority "SYS-A-role 1".
For step 501, the server may extract an operation record of any employee from the system operation log through log analysis, that is, may extract the time when the target employee used each target authority recently, and may obtain each recent use time corresponding to each target authority by comparing the same target authority in terms of time.
For step 502, after extracting the respective latest usage time corresponding to each target authority, the server may calculate, for each target authority, the idle duration of each target authority according to the latest usage time of each target authority and the current system time. For example, assuming that the time that a target employee C used the authority role1 most recently is 20180701 and the current system time is 20180710, the current system time is subtracted by the most recently used time, and the idle time of the authority role1 is 9 days.
For step 503, after calculating the free duration of each target permission, the server may determine whether the free duration of each target permission is less than or equal to the permission free duration corresponding to each target permission, and if the free determination result is yes, it indicates that the time for which the target permission is free is still within the normal range, and there is no exception; otherwise, if the idle judgment result is negative, the idle time of the target authority exceeds the normal range, the target employee does not use the target authority for too long time, and the target employee should give an alarm or perform corresponding processing under the abnormal condition.
For the step 504, in this embodiment, when the facultative post bitmap is output and displayed, the server may display the idle determination result on the facultative post bitmap together, and specifically, may mark a node relationship that the idle determination result is yes on the facultative post bitmap. In this way, the auditor handles the abnormal condition at the same time during auditing.
Preferably, when the idle judgment result is yes, the server may automatically freeze the target authority or notify the upper leader of the target employee, so as to check whether the target employee has abnormal behaviors such as passive idling, business operation not on demand, and the like.
In the embodiment of the invention, firstly, an old post data label before post movement, a new post data label after post movement, post movement time and each target authority are obtained, wherein the target staff refers to staff with more than two posts simultaneously, and each target authority belongs to more than one target system; then, the old post data label, the new post data label, each target authority and more than one target system of the target employee are taken as input, a preset post decision graph is traversed, nodes and node relations searched during traversal are output, a facultative post bitmap of the target employee is obtained, the post decision graph is established on the basis of a graph database by all preset authorities, all systems to which all authorities belong and the post corresponding to each authority, each authority is taken as an authority node, each system is taken as a system node, each post is taken as a post node on the post decision graph, and facultative correspondence relations and facultative durations among the post nodes are recorded; then, obtaining the facultative duration of each facultative corresponding relation on the facultative sentry bitmap; then, calculating the dualized duration of the target employee according to the post-adjusting time and the current system time; aiming at each facultative corresponding relation on the facultative sentry bitmap, judging whether the facultative duration of each facultative corresponding relation is less than the facultative duration or not, and obtaining a judgment result of each facultative corresponding relation; and finally, outputting and displaying the facultative post map of the target employee, and marking the facultative corresponding relation with the judgment result of yes on the facultative post map. Therefore, the invention presets the post decision diagram based on the graphic database, can take the old post data label, the new post data label, each target authority and the affiliated target system as input when auditing the target staff, traverse the post decision diagram to obtain the facultative post diagram of the target staff, and mark the facultative corresponding relation with abnormal facultative time on the diagram by judging the facultative time of the facultative corresponding relation on the diagram, thereby realizing the rapid auditing of the facultative posts of the staff and showing the facultative corresponding relation, facilitating the further auditing processing of the auditors and reducing the possibility of auditing omission.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
In an embodiment, a post data processing apparatus is provided, where the post data processing apparatus corresponds to the post data processing methods in the foregoing embodiments one to one. As shown in fig. 10, the post data processing apparatus includes a post authority acquiring module 601, a facultative post bitmap outputting module 602, a facultative duration acquiring module 603, a facultative duration calculating module 604, a facultative duration determining module 605, and a facultative correspondence marking module 606. The functional modules are explained in detail as follows:
a post authority obtaining module 601, configured to obtain an old post data tag before post movement, a new post data tag after post movement, post-adjusting time, and each target authority, where a target employee refers to an employee who has two or more posts at the same time, and each target authority belongs to one or more target systems;
a facultative post diagram output module 602, configured to traverse a preset post decision diagram by using the old post data tag, the new post data tag, the target permissions, and the more than one target system of the target employee as inputs, and output nodes and node relationships searched during traversal, to obtain a facultative post diagram of the target employee, where the post decision diagram is created based on a graph database by using all preset permissions, all systems to which all permissions belong, and a post corresponding to each permission, and each permission is used as a permission node, each system is used as a system node, each post is used as a post node, and a facultative correspondence relationship and a facultative duration between each post node are recorded;
a facultative duration obtaining module 603, configured to obtain a facultative duration of each facultative correspondence relationship on the facultative sentry bitmap;
a combined time length calculating module 604, configured to calculate a combined time length of the target employee according to the post-tuning time and the current system time;
a facultative duration determining module 605, configured to determine, for each facultative corresponding relationship on the facultative sentry bitmap, whether the facultative duration of each facultative corresponding relationship is less than the facultative duration, so as to obtain a facultative determination result of each facultative corresponding relationship;
a facultative corresponding relationship marking module 606, configured to output and display the facultative post bitmap of the target employee, and mark the facultative corresponding relationship with the facultative determination result of yes on the facultative post bitmap.
As shown in fig. 11, further, the position decision diagram may be pre-established by the following modules:
a system node creating module 607 for creating a system node for each of the systems;
an authority node creating module 608, configured to create, for each system, each authority node with each authority under each system, where one authority corresponds to one authority node;
a post node creating module 609, configured to create, for each authority node, each post node in each authorized post, where one authorized post corresponds to one post node, and each authorized post refers to each post that can be authorized to use each authority node;
an initial decision graph establishing module 610, configured to establish, for each system node, a node relationship between each system node and each corresponding authority node under each system node, to obtain an initial decision graph;
an initial post map establishing module 611, configured to establish, on the initial decision map and for each authority node, a node relationship between each authority node and each post node corresponding to each authority node, to obtain an initial post map;
a relationship duration obtaining module 612, configured to obtain a preset compatible correspondence between every two posts and a compatible duration of each compatible correspondence;
a post decision graph establishing module 613, configured to traverse each system node on the initial post graph, deeply traverse each permission node and each post node under each system node, and establish a post node relationship between the post nodes according to the facultative correspondence during traversal, to obtain the post decision graph, where an attribute value of the post node relationship is the facultative duration of the facultative correspondence corresponding to the post node relationship.
As shown in fig. 12, further, the facultative post diagram output module 602 may include:
a first node searching unit 6021, configured to traverse each system node in a breadth manner on the post decision diagram, and search a system node that is the same as the one or more target systems as a target system node;
a second node searching unit 6022, configured to traverse each authority node under each target system node for each target system node, and search, as a target authority node, an authority node that is the same as each first authority, where each first authority refers to each target authority under the target system corresponding to each target system node;
a third node searching unit 6023, configured to traverse each post node under each target authority node, and search a post node having the same label as the old post data label or the new post data label as a target post node;
a node relationship extracting unit 6024, configured to extract and output a node relationship among the target system node, the target permission node, the target post node, and the extracted node on the post decision graph, so as to obtain a facultative post graph of the target employee.
Further, the post data processing apparatus may further include:
the using time extracting module is used for extracting the time of the target employee recently using each target authority from a system operation log to obtain each recent using time;
a latest time calculation module, configured to calculate, for each facultative corresponding relationship on the facultative sentry bitmap, a latest usage time of each facultative corresponding relationship according to the post-tuning time and the facultative duration of each facultative corresponding relationship;
a usage time determination module, configured to determine, for each facultative corresponding relationship on the facultative post map, whether a latest usage time of a target permission corresponding to an old post data tag on each facultative corresponding relationship is greater than the latest usage time, and obtain an overtime determination result of each facultative corresponding relationship;
and the warning module is used for sending warning information to the designated personnel if the overtime judgment result of any facultative corresponding relation on the facultative sentry bitmap is yes.
Further, the attribute value of the node relationship between the authority node and the post node on the post decision graph is the permission free time, and the post data processing apparatus may further include:
the latest time extraction module is used for extracting the time of the target employee for using each target authority recently from a system operation log to obtain each latest time;
the idle time calculation module is used for calculating the idle time of each target authority according to the latest use time and the current system time of each target authority;
the idle time judgment module is used for judging whether the idle time of each target authority is less than or equal to the authority idleable time corresponding to each target authority or not according to each target authority to obtain an idle judgment result of each target authority;
and the node relation marking module is used for marking the node relation with the idle judgment result of yes on the facultative post diagram.
For the specific definition of the station data processing device, reference may be made to the above definition of the station data processing method, which is not described herein again. The modules in the station data processing device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 13. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing the data involved in the post data processing method. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of processing station data.
In one embodiment, a computer device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the steps of the method for processing station data in the above embodiments are implemented, for example, steps 101 to 106 shown in fig. 2. Alternatively, the processor, when executing the computer program, implements the functions of each module/unit of the station data processing apparatus in the above-described embodiments, for example, the functions of the modules 601 to 606 shown in fig. 10. To avoid repetition, further description is omitted here.
In one embodiment, a computer readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the steps of the method for processing position data in the above-described embodiments, such as steps 101 to 106 shown in fig. 2. Alternatively, the computer program, when executed by the processor, implements the functions of the modules/units of the station data processing apparatus in the above-described embodiments, such as the functions of the modules 601 to 606 shown in fig. 10. To avoid repetition, further description is omitted here.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It should be clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional units and modules is only used for illustration, and in practical applications, the above function distribution may be performed by different functional units and modules as needed, that is, the internal structure of the apparatus may be divided into different functional units or modules to perform all or part of the above described functions.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.

Claims (10)

1. A method for processing station data, comprising:
acquiring an old post data label before post movement of a target employee, a new post data label after post movement, post movement time and each target authority, wherein the target employee refers to an employee who has more than two posts simultaneously, and each target authority belongs to more than one target system;
traversing a preset post decision diagram by taking the old post data label, the new post data label, each target permission and more than one target system of the target employee as input, and outputting nodes and node relations searched during traversal to obtain a facultative post bitmap of the target employee, wherein the post decision diagram is obtained by establishing all preset permissions, all systems to which all permissions belong and a post corresponding to each permission based on a graphic database, each permission is taken as a permission node, each system is taken as a system node, each post is taken as a post node on the post decision diagram, and facultative correspondence and facultative duration between all post nodes are recorded;
obtaining the compatible duration of each compatible corresponding relation on the compatible post diagram;
calculating the dualized duration of the target employee according to the post-adjusting time and the current system time;
aiming at each facultative corresponding relation on the facultative sentry bitmap, judging whether the facultative duration of each facultative corresponding relation is less than the facultative duration or not, and obtaining the facultative judgment result of each facultative corresponding relation;
and outputting and displaying the facultative post bitmap of the target employee, and marking the facultative corresponding relation with the facultative judgment result of yes on the facultative post bitmap.
2. The station data processing method according to claim 1, wherein the station decision graph is pre-established by:
respectively creating a system node for each system;
respectively creating each authority node according to each authority under each system aiming at each system, wherein one authority corresponds to one authority node;
respectively creating each position node by each authorized position aiming at each authority node, wherein one authorized position corresponds to one position node, and each authorized position refers to each position which can be authorized to use each authority node;
aiming at each system node, establishing a node relation between each system node and each corresponding authority node under each system node to obtain an initial decision graph;
on the initial decision diagram, aiming at each authority node, establishing a node relationship between each authority node and each post node corresponding to each authority node to obtain an initial post diagram;
acquiring a preset facultative corresponding relationship between every two posts and the facultative duration of each facultative corresponding relationship;
and traversing each system node on the initial post diagram, deeply traversing each permission node and each post node under each system node, and establishing a post node relationship between the post nodes according to the facultative corresponding relationship during traversal to obtain the post decision diagram, wherein the attribute value of the post node relationship is the facultative duration of the facultative corresponding relationship corresponding to the post node relationship.
3. The method according to claim 1, wherein said traversing a preset post decision graph with said old post data labels, said new post data labels, said target permissions, and said one or more target systems of said target employee as inputs, and outputting nodes and node relationships searched during traversal, to obtain a facultative post graph for said target employee comprises:
traversing each system node in a wide range on the post decision diagram, and searching system nodes which are the same as the more than one target system as target system nodes;
for each target system node, traversing each authority node under each target system node, and searching the authority nodes which are the same as each first authority as target authority nodes, wherein each first authority refers to each target authority under the target system corresponding to each target system node;
for each target permission node, traversing each post node under each target permission node, and searching for a post node which is the same as the old post data label or the new post data label as a target post node;
and extracting and outputting the target system node, the target permission node, the target post node and the extracted node relation on the post decision graph to obtain the facultative post bitmap of the target employee.
4. The station data processing method according to claim 1, characterized in that the station data processing method further comprises:
extracting the time of the target employee for using each target authority recently from a system operation log to obtain each recent use time;
aiming at each facultative corresponding relation on the facultative sentry bitmap, calculating and obtaining the latest use time of each facultative corresponding relation according to the post adjusting time and the facultative duration of each facultative corresponding relation;
aiming at each facultative corresponding relation on the facultative sentry bitmap, judging whether the latest use time of the target permission corresponding to the old position data label on each facultative corresponding relation is greater than the latest use time or not, and obtaining the overtime judgment result of each facultative corresponding relation;
and if the overtime judgment result of any facultative corresponding relation on the facultative sentry bitmap is yes, sending alarm information to the appointed personnel.
5. A post data processing method according to any one of claims 1 to 4, wherein the attribute value of the node relationship between the authority node and the post node on the post decision graph is the time during which the authority can be idle, the post data processing method further comprising:
extracting the time of the target employee for using each target authority recently from a system operation log to obtain each recent use time;
aiming at each target authority, calculating the idle time of each target authority according to the latest use time and the current system time of each target authority;
for each target authority, judging whether the idle time of each target authority is less than or equal to the authority idleable time corresponding to each target authority to obtain an idle judgment result of each target authority;
and marking the node relation with the idle judgment result of yes on the facultative post graph.
6. A station data processing apparatus, comprising:
the post authority acquiring module is used for acquiring an old post data label before post movement of a target employee, a new post data label after post movement, post movement time and each target authority, wherein the target employee refers to an employee who has more than two posts at the same time, and each target authority belongs to more than one target system;
a facultative post map output module, configured to traverse a preset post decision graph with the old post data tag, the new post data tag, the target permissions, and the more than one target system of the target employee as inputs, and output nodes and node relationships searched during traversal, to obtain a facultative post map of the target employee, where the post decision graph is created based on a graph database by all preset permissions, all systems to which all permissions belong, and a post corresponding to each permission, and each permission is used as a permission node, each system is used as a system node, each post is used as a post node, and a facultative correspondence relationship and a facultative duration between each post node are recorded;
a facultative duration obtaining module, configured to obtain the facultative duration of each facultative correspondence in the facultative sentry map;
the integrated duration calculation module is used for calculating the integrated duration of the target employee according to the post-adjusting time and the current system time;
a facultative duration determining module, configured to determine, for each facultative correspondence on the facultative sentry bitmap, whether the facultative duration of each facultative correspondence is less than the facultative duration, and obtain a facultative determination result of each facultative correspondence;
and the facultative corresponding relation marking module is used for outputting and displaying the facultative post bitmap of the target employee, and marking the facultative corresponding relation with the facultative determination result of yes on the facultative post bitmap.
7. The station data processing device according to claim 6, wherein the station decision graph is pre-established by:
a system node creating module for creating a system node for each of the systems;
the authority node creating module is used for creating each authority node according to each authority under each system, wherein one authority corresponds to one authority node;
a station node creating module, configured to create, for each authority node, each station node in each authorized station, where one authorized station corresponds to one station node, and each authorized station refers to each station that can be authorized to use each authority node;
an initial decision graph establishing module, configured to establish, for each system node, a node relationship between each system node and each corresponding authority node under each system node, to obtain an initial decision graph;
an initial post map establishing module, configured to establish, on the initial decision diagram, a node relationship between each authority node and each post node corresponding to each authority node, to obtain an initial post map;
a relation duration obtaining module, configured to obtain a preset compatible correspondence between every two posts and a compatible duration of each compatible correspondence;
and the post decision graph establishing module is used for traversing each system node on the initial post graph, deeply traversing each permission node and each post node under each system node, and establishing a post node relationship among the post nodes according to the facultative corresponding relationship during traversal to obtain the post decision graph, wherein the attribute value of the post node relationship is the facultative duration of the facultative corresponding relationship corresponding to the post node relationship.
8. A station data processing apparatus according to claim 6 or 7, wherein the facultative station diagram output module comprises:
the first node searching unit is used for traversing all system nodes in a wide range on the post decision diagram and searching the system nodes which are the same as the more than one target system as target system nodes;
the second node searching unit is used for traversing each authority node under each target system node aiming at each target system node, and searching each authority node which is the same as each first authority as a target authority node, wherein each first authority refers to each target authority under a target system corresponding to each target system node;
a third node searching unit, configured to traverse each post node under each target permission node, and search a post node having the same label as the old post data label or the new post data label as a target post node;
and the node relation extraction unit is used for extracting and outputting the node relation among the target system node, the target permission node, the target post node and the extracted nodes on the post decision graph to obtain the facultative post graph of the target employee.
9. Computer device comprising a memory, a processor and a computer program stored in said memory and executable on said processor, characterized in that said processor implements the method for processing position data according to any one of claims 1 to 5 when executing said computer program.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the station data processing method according to any one of claims 1 to 5.
CN201910603609.0A 2019-07-05 2019-07-05 Post data processing method and device, computer equipment and storage medium Active CN110457529B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910603609.0A CN110457529B (en) 2019-07-05 2019-07-05 Post data processing method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910603609.0A CN110457529B (en) 2019-07-05 2019-07-05 Post data processing method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110457529A CN110457529A (en) 2019-11-15
CN110457529B true CN110457529B (en) 2022-07-12

Family

ID=68482163

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910603609.0A Active CN110457529B (en) 2019-07-05 2019-07-05 Post data processing method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110457529B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110955903B (en) * 2019-11-22 2021-03-30 支付宝(杭州)信息技术有限公司 Privacy resource authority control method, device and equipment based on intelligent graph calculation
CN111046351A (en) * 2019-12-13 2020-04-21 支付宝(杭州)信息技术有限公司 Method and device for managing application permission in office network

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001014383A (en) * 1999-06-28 2001-01-19 Casio Comput Co Ltd Personnel affairs change management device and program storage medium for the device
CN103455888A (en) * 2013-09-10 2013-12-18 山东中创软件工程股份有限公司 Method and device for configuring flow permission
CN107103228A (en) * 2017-04-22 2017-08-29 成都牵牛草信息技术有限公司 Man-to-man permission grant method and system of the based role to user
CN107315931A (en) * 2017-07-05 2017-11-03 成都牵牛草信息技术有限公司 Form field values operating right authorization method
CN108921520A (en) * 2017-08-07 2018-11-30 成都牵牛草信息技术有限公司 Count list operation permission grant method
WO2019024900A1 (en) * 2017-08-03 2019-02-07 成都牵牛草信息技术有限公司 Method for use of role in database

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001014383A (en) * 1999-06-28 2001-01-19 Casio Comput Co Ltd Personnel affairs change management device and program storage medium for the device
CN103455888A (en) * 2013-09-10 2013-12-18 山东中创软件工程股份有限公司 Method and device for configuring flow permission
CN107103228A (en) * 2017-04-22 2017-08-29 成都牵牛草信息技术有限公司 Man-to-man permission grant method and system of the based role to user
CN107315931A (en) * 2017-07-05 2017-11-03 成都牵牛草信息技术有限公司 Form field values operating right authorization method
WO2019024900A1 (en) * 2017-08-03 2019-02-07 成都牵牛草信息技术有限公司 Method for use of role in database
CN108921520A (en) * 2017-08-07 2018-11-30 成都牵牛草信息技术有限公司 Count list operation permission grant method
WO2019029501A1 (en) * 2017-08-07 2019-02-14 成都牵牛草信息技术有限公司 Statistical list operation permission authorization method

Also Published As

Publication number Publication date
CN110457529A (en) 2019-11-15

Similar Documents

Publication Publication Date Title
Kim et al. Data governance framework for big data implementation with NPS Case Analysis in Korea
US10339309B1 (en) System for identifying anomalies in an information system
US10339321B2 (en) Cybersecurity maturity forecasting tool/dashboard
Kim et al. Data governance framework for big data implementation with a case of Korea
US20080104021A1 (en) Systems and methods for controlling access to online personal information
CN107169361A (en) The detection method and system of a kind of leaking data
CN113765881A (en) Method and device for detecting abnormal network security behavior, electronic equipment and storage medium
Ma et al. A blockchain-based risk and information system control framework
Riadi et al. A maturity level framework for measurement of information security performance
CN110457529B (en) Post data processing method and device, computer equipment and storage medium
CN102906756A (en) Security threat detection associated with security events and actor category model
CN109670048B (en) Atlas construction method and apparatus based on wind control management and computer device
CN109684863B (en) Data leakage prevention method, device, equipment and storage medium
CN113158233A (en) Data preprocessing method and device and computer storage medium
CN114372098A (en) Platform and method for protecting and mining power data middling station private data based on privileged account management
Walker-Osborn et al. To BYOD or… not to BYOD
US20230396640A1 (en) Security event management system and associated method
CN109726187B (en) Hadoop-oriented adaptive permission control method and device
US11888986B2 (en) Insight generation using personal identifiable information (PII) footprint modeling
Beres et al. On identity assurance in the presence of federated identity management systems
CN114239034A (en) Log recording system for protecting sensitive resources and accident evidence obtaining method
CN115130138A (en) Data security protection method, system, storage medium and equipment
Maingak et al. Information security assessment using ISO/IEC 27001: 2013 standard on government institution
CN114997684A (en) Financial data safety management system
CN108933678A (en) O&M auditing system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant